Pages

Monday, September 21, 2009

Alternate Data Streams in NTFS

Windows alternate Data Streams  
Windows NT from version 3.1 to 2000 and XP has a nice (and documented!) feature: a file can have multiple streams. Maybe one stream of data, the other with information, metadata. Anyway, you can have a small data file that can have a bigger (and hidden) alternate stream containing maybe viruses, or just information you want to be hidden. This (sometimes useful) feature can be exploited in not so friendly ways.


Creating ADS Example
  • Create an ADS associated with hello.txt file:
        echo "Hidden text" > hello.txt:hidden
  • Associate an executable with an ADS:
          type prog12.exe >hello.txt:hidden.exe
  • ADS text can be viewed with the same syntax:
          notepad hello.txt:hidden.txt
  • Running ADS executable:
         start hello.txt:hidden.exe 
    (This generates an error about absolute paths on Windows NT, so running with absolute path solves it)
         start c:\hello.txt:hidden.exe
    This command will start a new shell and execute it. Done.
  • Another feature is that ads can be attached to directories:
         type "in hidden dir" > c:\HELLO:hidden.txt
  • What makes ADS still cool (in an evil way:) is that public awareness is still very restricted to specific public
Detecting ADS
Those ads cannot be detected with the DIR command. DIR command reports the file hello.txt, with just it's size, not considering the alternate streams. Two good free programs to detect ADS are LADS by Frank Heyne and streams by Mark Russinovich.  The output shows how to create 2 alternate streams with text and an executable, and also that normal DIR operations don't detect them. 
(Click to enlarge)
Task manager and process tools (procexp and tasklist) show the hidden executable correctly ( c:\hello.txt:hidden.exe)


Deleting ADS
  • If you move the file/folder containing alternate streams to a file system different than NTFS, alternate streams are deleted
  • If ADS is not attached to a directory you can copy just the content of the file (without ads) to a new file, and maybe delete the old one
          type hello.txt > hello_noads.txt
  • If ADS is attached to a directory, use the trick from Frank Heyne site, or use streams program with -d parameter. 

References:

Posted by Liviu at
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)